Cardiac Exsanguination: a Heartbleed damage round-up

It’s been two months since a critical vulnerability in OpenSSL cryptography library, codenamed Heartbleed, had been disclosed publicly. This bug is most likely going to be the most important vulnerability of 2014, or even of the entire decade, overshadowing a priori most of the other mishaps that are yet to happen. Unless any of them affects the entire Web. And that’s the case with Heartbleed actually: It was a real “red alert” for the Internet. Security expert Bruce Schneier set it at 11 at the threat scale of 1 to 10. Some experts called Heartbleed the greatest Internet disaster ever.

Now, what about factual damage? Was there any? The short answer is “yes, but…”, and the longer one would be quite long indeed.

Now the public attention to Heartbleed is basically fading, although recent disclosure of six more bugs in OpenSSL forced us all to refresh our memory. But the problem itself hasn’t gone away entirely, and it would be fair to say it’s developing still.

So far there are only a few known (i.e., openly publicized) cases of real exploitation of Hearbleed bug. For instance, some Yahoo passwords leaked, presumably due to the Heartbleed on April 8th, the next day after The Disclosure.

J. Alex Halderman, an assistant professor of electrical engineering and computer science with University of Michigan reported that someone from China attempted to attack the University server via Heartbleed hole, also on April 8th. The “server” in fact appeared to be a honeypot, crafted specifically to catch attackers. Within a following week Halderman and his team detected over 40 attempts to exploit Heartbleed, half of them originating from Chinese Republic.

Was there any real damage inflicted by Heartbleed? The short answer is yes.

On April 11 (four days after The Disclosure) CloudFlare challenged security experts to exploit Heartbleed in order to steal SSL keys from a server. It was done successfully twice. One of these researchers – Fedor Indutny – has written a Node.js script which has generated over 2.5 million requests for data over the span of the challenge. Indutny eventually posted some details on his work here.

A few days after the Heartbleed disclosure Canada Revenue Agency reported that someone exploited Heartbleed (again) on April 8th, in order to steal Social Insurance Numbers of 900 tax payers – just in time: CRA eventually pushed tax deadline to May 5.

On April 16 a 19 y.o. student got apprehended and charged with “unauthorized use of a computer” and “mischief in relation to data”. It was the first and, apparently, the only arrest so far related to the bug.

A number of accounts in Mumsnet, a parents-oriented network, got hijacked a few days after The Disclosure: Heartbleed allowed to expose the owners’ credentials. Hacker actually announced him- or herself on the network, claiming that he (or she) wanted to show how serious Heartbleed problem is. Check.

BBC News reported on April 29 that a number of researchers successfully exploited Heartbleed to infiltrate several underground forums used by cybercriminals, those are otherwise next to impossible to penetrate. It’s pretty amusing to see how cyber-miscreants are fed with their own medicine (although there’s little new here). However, they must have patched their dens promptly.

Worse than actually inflicted damage is the potential damage, which is hard or impossible to avert.

For instance immediately after The Disclosure Google reported to patch up its services and claimed that all of the Android versions are immune to Heartbleed “with limited exception of Android 4.1.1” that happened to be the most widely used version of Android (29% as of June, 1st, about 34% in mid-April). Potentially it can be patched against the vulnerability, but it’s unclear, how many devices have been or will be updated.

Worse even is the amount of smart devices affected by the bug: Wired and some others report that home routers and corporate firewalls, printers, videocameras, thermostats, home management gadgets, and even baby monitors are all vulnerable, and the question is whether patching is possible and would it be applied – automatically or manually.

At the end of May, a Portuguese security researcher Luis Grangeia described the way Heartbleed vulnerability can be used over Wi-Fi. According to Grangeia, who even posted proof of concept, the new attack method allows the pulling of data from enterprise routers using “the same Heartbleed procedure over Wi-Fi instead of the open Web” or from Android devices using a malicious router.

So, we can see, the story is far from over. Even though most servers on the Web seem to be patched, according to some estimates there are still hundreds of thousands servers prone to “cardiac exsanguination”.

It is unclear whether Heartbleed had been really exploited before The Disclosure. There is no positive confirmations for that, but there is also no way it can be denied beyond any doubt. Quite unsurprisingly, a lot of rumors whirled up about possible NSA knowledge and exploitation of the Heartbleed at least two years prior to its public disclosure. NSA denied it, of course, but a rumor is a persisting thing, especially in such cases as this.

And the Heartbleed itself will persist too, at least for some time.

Still there is at least one positive outcome from both Heartbleed and the later (and less-fancy) disclosures made by OpenSSL Project: They have drawn a lot of attention from general public and tech experts to passwords and security overall.

Ensuring security on the Web is something that requires active efforts from all parties concerned. Rarely would anyone doubt this verity, but from time to time it bears reminding, even with not-so-subtle ones as Heartbleed.